Access Requirements to Cyber-Security Data Sets Could See More Changes

Changes may come for those allowed to research and access data sets in the U.S. Department of Homeland Security’s cyber-defense.

It’s been one month since the U.S. Department of Homeland Security (DHS) posted a notice Sept. 1 in the Federal Register asking for comments on updated forms that determine which researchers are allowed access to data sets that can aid cyber-security research and development.

The program is called the Protected Repository for the Defense of Infrastructure Against Cyber Threats (PREDICT), created by the DHS Science and Technology Directorate.

The window for comments closes Friday, Oct. 1, and some changes could be made based on suggestions received.

“I don’t anticipate drastic ones, so it’s very possible that we could have them done by the end of the calendar year without a problem,” said Douglas Maughan, program manager for the Science and Technology Directorate’s cyber-security research.

The federal government created PREDICT to help organizations use existing data sets for cyber-security research. The work could support technology development that helps people keep networks and data safe. Researchers must apply to gain access to the data sets through the PREDICT portal, but Maughan wouldn’t speak about what requirements they had to meet for eligibility except that they must be U.S. citizens.

“Right now, the biggest criteria has been international versus U.S., and we don’t allow international access because it’s built on a legal framework of U.S. law,” he said. “When they get data, they sign agreements on how they’re going to handle the data, and they’re not going to send it overseas — that kind of stuff.”

Maughan expects comments to primarily come from a research community of academia and the private sector, those who currently use PREDICT and from privacy rights advocates.

Phase two of PREDICT has already started and will offer data sets that include personally identifiable information ostensibly to help researchers find ways to better safeguard such information in the real world.

Timing for any changes to take place is uncertain because it depends on how many comments were received, if any, as well as other factors. Those wishing to comment were required to submit their statements to the Office of Information and Regulatory Affairs in the Office of Management and Budget (OMB).

If no comments are received, the Science and Technology Directorate will keep the updated forms as is without making modifications. The forms were last updated in April 2010.

“If there are comments, those will be compiled and provided to us by the OMB. We would essentially respond to those in some fashion, and if it requires us to make changes to the forms, then we would have to go through the process of doing that to address whatever comments that might come in,” Maughan said.